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DETAILED ACTION 



This Office action is in response to Applicant's request for reconsideration and 
Affidavit filed under 37 CFR 1.131 on March 19, 2004. Claims 1-35 are presented for 
further consideration. These are the original claims, which have not been amended. 

Response to Amendment 

The Affidavit filed on March 19, 2004 under 37 CFR 1.131 has been considered 
and is effective to overcome the M2 Presswire reference. As a result. Examiner hereby 
issues a new non-final Office action. 



Applicant has made no arguments regarding the substance of the art cited by 
Examiner as it relates to the 35 USC 103 rejections. 

Note that Examiner took Official Notice with regard to certain well-known claim 
limitations. Applicant has not traversed these assertions in either of Applicant's two 
responses. Therefore, Applicant's failure to traverse these Official Notice statements 
serves as evidence of Applicant's admission that the asserted features are in fact well 
known in the art. See MPEP § 2144.03(C). 



Response to Arguments 



Claim Rejections - 35 USC § 103 

The following is a quotation of 35 U.S.C. 103(a) which forms the basis for all 
obviousness rejections set forth in this Office action: 
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(a) A patent may not be obtained though the invention is not identically disclosed or described as set 
forth in section 102 of this title, if the differences between the subject matter sought to be patented and 
the prior art are such that the subject matter as a whole would have been obvious at the time the 
invention was made to a person having ordinary skill in the art to which said subject matter pertains. 
Patentability shall not be negatived by the manner in which the invention was made, 

1. Claims 1-22, 24-26, and 31-35 are rejected under 35 U.S.C. 103(a) as being 

unpatentable over Parker (Single Sign-On Systems - the Technologies and the 

Products," 1995), in view of PR Newswire ("Microsoft Passport Offers Streamlined 

Purchasing Across Leading Web Sites," October 11, 1999, hereinafter "PR"). 

In considering claims 1, 24, and 26, Parker discloses a method, network device, 
and computer usable medium for conveying access control information (a.c.i.) from one 
network device to another network device through an end user device, comprising: 
The one network device ("remote security server") in response to a first message 
received from the end user device ("user") containing access control information 
("authentication ticket"), sending a response message ("access ticket") to the end user 
device containing the a.c.i. (p. 152, ^ 3, lines 1-5), the response message being 
adapted to cause the end user device to send a second message to the another 
network device ("target") containing at least part of the a.c.i. (p. 152, H 3, lines 5-6); 
Wherein at least part of the a.c.i. is used to control access to a protected resource on at 
least one of the first and second network devices (p. 152, H 3, wherein the tickets are 
used to access protected resources). 

However, Parker does not disclose that the two network devices are on different 
domains. Instead, Parker simply states that the two servers are "part of the single sign- 
on product." Nonetheless, allowing single sign-on to network devices from different 
domains on a single sign-on system is well known, as evidenced by PR. In a similar art, 
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PR discloses a multi-domain single sign-on system that allows Intemet domains owned 
by different companies or business partners to both participate in the single sign-on 
system (p. 3, U 3, "Passport allows consumers to use a single sign-in name and 
electronic wallet at participating sites, reducing the amount of information they need to 
remember or retype."). Thus, given the teaching of PR, it would have been obvious to a 
person having ordinary skill in the art to use the single sign-on system taught by Parker 
for multiple domains, as taught by PR, to reduce the amount of information that users of 
multiple sites need to retype. 

In considering claim 2, Parker further discloses that the response message 
contains the a.c.i. (the "access ticket") and a network device identifier for the another 
network device (i.e. receipt of the access ticket instructs the user device to access the 
another network device, p. 152, U 3). Parker further discloses that the second message 
contains at least part of the a.c.i. (p. 152, H 3, i.e. the "access ticket"). 

However, neither Parker nor PR discuss which part of the communication packet 
(i.e. header or content portion) contains the a.c.i. Nonetheless, Examiner takes official 
notice that including information in either the header or content portion of a data packet 
is well known in the art. Thus, storing the a.c.i. in the content portion, as claimed in 
claim 2, rather than in the header portion, would have been obvious to a person having 
ordinary skill in the art to simplify header processing of the packet. 
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In considering claim 3, Parker further discloses that the first message has a 
header portion and a content portion (inherent in any Internet communication system), 
and further discloses extracting the a.c.i. from the packet for use in the response 
message (p. 152, H 3, wherein the access ticket is extracted from the response and 
placed in the second message for delivery to the target). 

However, neither Parker nor PR discuss which part of the communication packet 
(i.e. header or content portion) contains the a.c.i. Nonetheless, Examiner takes official 
notice that including information in either the header or content portion of a data packet 
is well known in the art. Thus, storing the a.c.i. in the header portion, as claimed in 
claim 3, rather than in the content portion, would have been obvious to a person having 
ordinary skill in the art to simplify content processing of the packet. 

In considering claim 4, Parker further discloses that the first message has a 
header portion and a content portion (inherent in any Internet communication system), 
and further discloses extracting the a.c.i. from the packet for use in the response 
message (p. 152, H 3, wherein the access ticket is extracted from the response and 
placed in the second message for delivery to the target). 

However, neither Parker nor PR discuss which part of the communication packet 
(i.e. header or content portion) contains the a.c.i. Nonetheless, Examiner takes official 
notice that including information in either the header or content portion of a data packet 
is well known in the art. Thus, storing the a.c.i. in the content portion, as claimed in 
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claim 4, rather than in the header portion, would have been obvious to a person having 
ordinary skill in the art to simplify header processing of the packet. 

In considering claim 5, Parker further discloses that hidden content is used in the 
response message to contain the a.c.i. (the "access ticket" is not actually seen by the 
user). 

In considering claims 6, 12 and 16, although the system taught by Parker and PR 
teaches substantial features of the claimed invention, it fails to disclose presenting an 
option to the end user device for user acceptance or to change and/or delete any of the 
user-specific information before sending the message to the another network. 
Nonetheless, Examiner takes official notice that changing user profile information in a 
network access system is well known in the art. Thus, given this knowledge, it would 
have been obvious to a person having ordinary skill in the art to change the user- 
specific information in the system taught by Parker and PR before sending the message 
to the another network, to give the user manual control over the method of presentation 
of the requested data. 

In considering claim 7, PR further discloses formatting the messages as a 
custom content type (p. 2, lines 18-21, "extensive customization"). Thus, given the 
teaching of PR, it would have been obvious to include the custom content type in the 
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content portion of the response taught by Parker, so that the user entering the second 
domain could still gain access to a personalized, customized information. 

In considering claim 8, Parker further discloses that at least part of the response 
message is protected by cryptographic means (p. 152, H 5, line 1, "protected 
cryptographically"). 

In considering claim 9, Examiner takes official notice that the use of HTTP on the 
Internet is notoriously well known. Therefore it would have been obvious for the 
messages taught by Parker to be HTTP messages, so that the system taught by Parker 
could be used with the majority of Internet applications and documents. 

In considering claim 1 0, Parker further discloses that the a.c.i. is a ticket. 
Although Parker does not explicitly use the term "cookie" or describe the use of cookies, 
the ticket taught by Parker performs the same function as a "cookie." 

In considering claims 1 1 and 14, PR further discloses the use of user-specific 
information in requesting documents from the multi-domain SSO system (p. 2, lines 18- 
21, "extensive customization"; p. 1, H 2, "electronic wallet that stores all their billing and 
shipping information..."). Thus, given the teaching of PR, it would have been obvious to 
pass instructions regarding user-specific information in the response taught by Parker 
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and including the user-specific information in the second message, so that the user 
entering the second domain could still gain access to a personalized information. 

In considering claim 13, Parker further discloses an initial network device 
("remote authentication server") accessed by the end user device, the method further 
comprising: 

Prior to sending the response message, 

a. the initial network device receiving an initial access request from 
the end user device to access a protected resource on the initial network device 
(p. 152.112, lines 1-2); 

b. the initial network device performing an authentication process to 
determine if access should be granted ("authentication") and if so, responding 
with an access response message specifying the a.c.i. ("date token or certificate 
which can subsequently be used to prove the user's identity") in association with 
the domain of the initial network device and causing the end user device to send 
the first message (p. 152, H 2, lines 2-7; ^ 3, lines 1-4); and 

On an ongoing basis after performing the authentication process allowing 
subsequent access to the protected resource to requests containing the access control 
information (p. 152, col. 2, lines 4-8). 

Although Parker refers to the initial device ("remote authentication server") and 
the one network device ("remote security server") as different devices (and thus does 
not teach that the one network device is an initial device, as claimed), it would have 
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been obvious to a person having ordinary skill in the art to merge these two devices into 
one, as claimed, in order to decrease network traffic and simplify the network 
communications in the system. 

In considering claim 15, PR further discloses that the user specific information 
comprises at least one of purchase enabling information and personal data ("billing and 
shipping information," p.1 , H 2). 

In considering claim 17, Parker further discloses protecting the a.c.i. information 
via cryptographic means. Therefore, it would have been obvious to a person having 
ordinary skill in the art to additionally use cryptographic means to protect the user- 
specific information to increase security of the system. 

In considering claim 1 8, claim 1 8 includes no further limitations over claims 1 , 2, 
and 4, except that claim 18 requires that the a.c.i. is in both the header and the content 
portion of the response message. Nonetheless, Examiner takes official notice that 
including information in a header and a data portion of a packet is well known. Thus, 
storing the a.c.i. in the header portion and the content portion, as claimed in claim 18 
would have been obvious to a person having ordinary skill in the art to balance the 
processing on both the header and the content portion of the packet. 
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In considering claim 19, Parker further discloses that the another network device 
is specified in the input message (p. 152, ^ 3, lines 1-2, "user selects a target 
application sen/er to access"). 

In considering claim 20, Parker further discloses that the another network device 
is specified by the network device (p. 152, ^ 3, lines 4-6). 

In considering claim 21, claim 21 contains no further limitations overclaims 18 
and 13, except that claim 21 requires that the response to the initial access request 
includes the a.c.i. in the header portion of the packet. Nonetheless, Examiner takes 
official notice that including information in either the header or content portion of a data 
packet is well known in the art. Thus, storing the a.c.i. in the header portion, as claimed 
in claim 21 , rather than in the content portion, would have been obvious to a person 
having ordinary skill in the art to simplify content processing of the packet. 

In considering claim 22, Parker further discloses the claimed authentication step 
(p. 152,112, "authentication"). 

In considering claim 25, Parker further discloses a network device (server) 
adapted to implement the method of claim 18. 
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In considering claims 31-33, claims 31-33, taken as a whole, contain no further 
limitations over claim 21 , and are thus rejected for the same reasons as claim 21 . 

Claim 34 contains the same limitations as claim 31, and is thus rejected for the 
same reasons as discussed in claim 21 as well. 

Claim 35 contains no further limitations over claims 1 , 2, 1 1, and 12 combined, 
and is thus rejected for the same reasons as stated regarding those claims. 



2. Claims 23, and 27-30 are allowed. 

The following is a statement of reasons for the indication of allowable subject 
matter: In considering claim 23, the prior art of record fails to disclose or render obvious 
all of the limitations of the claim. Claims 27-30 depend from claim 23, and thus are 
allowable as well. 



The prior art made of record and not relied upon is considered pertinent to 
applicant's disclosure. 

a. The newly cited reference entitled "Single Sign-On in Windows 2000 Networks" 
(from the Microsoft website) describes a Single Sign-On system for use across multiple 
domains that is very similar to the system claimed (see pp. 1-4). 



Allowable Subject Matter 



Conclusion 




# - 
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Any inquiry concerning this communication or earlier communications from the 
examiner should be directed to Bradley Edelman whose telephone number is (703) 306- 
3041 . The examiner can normally be reached on Monday to Friday from 8:30 AM to 
5:00 PM. 

If attempts to reach the examiner by telephone are unsuccessful, the examiner's 
supervisor. Glen Burgess can be reached on (703) 305-4792. The fax phone numbers 
for the organization where this application or proceeding is assigned are as follows: 

For all After Final papers: (703) 746-7238. 

For all other correspondences: (703) 746-7239. 

Any inquiry of a general nature or relating to the status of this application or 
proceeding should be directed to the receptionist whose telephone number is (703) 305- 
3900. 




BE 

April 15, 2004 




